A new Bluetooth contact tracing system for detecting Covid-19 proximity, has been developed by a team of scientists and data privacy experts, including from UCL.
The DP-3T tracing system, which is presented openly for public scrutiny in a new White Paper , works at scale and has been developed to the highest privacy standards, ready to deploy into an app.
The system enables epidemiologists to analyse the spread of the pandemic, while fully respecting individual rights to privacy and ensuring no personal data ever leaves an individual’s device, and is not centralised in a cloud server: meaning it is not able to be repurposed for anything other than public health. It is proposed as one of the protocols for the Pan-European Privacy Preserving Proximity Tracing project (PEPP-PT).
Data rights and regulation lecturer, Dr Michael Veale (UCL Laws), said: "There are a lot of concerns about Bluetooth tracing being administered centrally by governments, particularly in countries that have weaker privacy laws and concern for human rights. We have developed a practical solution that could help tell someone when they come into contact with someone that has tested positive for Covid-19, while at the same time ensuring that the user’s information never leaves their phone."
The system would work whereby people who have tested positive for Covid-19 are authorised to upload random, constantly changing identifiers they have been emitting via Bluetooth using the app. Individuals that have the app, and have been in proximity to that person, compare downloaded random identifiers to the ones they have collected using their own devices. If they were in close proximity for a significant duration to a person that had tested positive, they would receive a quick notification to alert them, along with WHO-approved guidance on next steps.
While these uploaded identifiers are useful to those who use the app, they are useless to the central server. The server will not be able to identify who an uploader is or any characteristics about the individual.
Several governments across the world have used contact tracing, as part of efforts to control the spread of the coronavirus. China, for example, has reportedly relied on mass surveillance of phones to classify individuals by their health status and restrict their movements.
However, concerns have been raised about what this means for individual privacy rights, and what happens if the data is misused or used beyond the initial purpose.
"Given this is a global problem, it is key such a system works across borders, so they can be re-opened" said Dr Veale. "If one country uses a centralised system, then they all have to, putting citizens of countries with limited respect for human rights or the rule of law at serious risk. In our system, it works the other way - citizens around the world would be protected from surveillance and misuse, while epidemiologists get the insights they tell us they need."
The team of 25 scientists from across Europe including the Swiss Federal Institutes of Technology and KU Leuven in Belgium, have developed a system that hides all personal information from the server.
The system provides the following privacy and security protections:
- Ensures data minimisation: Ensures the central server only observes anonymous identifiers of people that test positive with Covid-19 without any proximity information; health authorities learn no information (when a user manually reaches out to them after being notified); and the epidemiologists obtain an anonymised proximity graph with minimal information.
- Prevents abuse of data: As the different identities in the system receive the minimum amount of information tailored to their requirements, none of them can abuse the data for other purposes, nor can they be coerced or subpoenaed to make other data available.
- Prevents tracking of non-infected users: No entity, including the backend of the app, can track non-infected users.
- Graceful dismantling: The system will organically dismantle itself at the end of the pandemic. Infected patients will stop uploading their data to the central server, and people will stop using the app. Data on the server is removed after 14 days.
Dr Veale add: "We have developed a decentralised privacy design to ensure individual data remains anonymous, we prevent abuse of data by third parties, and prevent tracking of non-infected individuals. There is really no good reason not to adopt such a private system - and if less private alternatives are deployed, it should raise serious questions about future plans.
"We are opposed to data being collected centrally as this raises questions over future intended purposes of individual information, and will affect the adoption of any such app. If it is not adopted by over a majority of the population because users do not trust it to not misuse their data, the research indicates it will not be useful - and this could endanger lives."